lockfile | a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0

Analysis

max time kernel
133s
max time network
45s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-09-2021 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
Size

250KB
MD5

ef37842fc159631f9dd8f94c5e05a674
SHA1

07e19dd6f2b5ebe86614251860a067012d2a0ce9
SHA256

a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0
SHA512

e45235cea10568547a0cf9b3c3d5550eb76a67ebd950dad17bbd4fb1e441c9f904e7c6c0e268e1a8a8d6374de229bd0f096f4b45983febf6237987823ced00a4

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note

LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use

Emails

[email protected]

URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\UMDF\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\etc\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\fr-FR\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\FormatProtect.tif => C:\Users\Admin\Pictures\formatprotect.tif.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File renamed	C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\formatsplit.crw.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File renamed	C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\switchconvert.raw.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File renamed	C:\Users\Admin\Pictures\UnpublishReset.raw => C:\Users\Admin\Pictures\unpublishreset.raw.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Deletes itself 1 IoCs

pid	Process
1164	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysprep\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\Setup\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wave.inf_amd64_neutral_7a0a0b166f55e1aa\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\Enterprise\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\HomeBasicN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\IME\imekr8\dicts\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\inetsrv\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\de-DE\Licenses\OEM\UltimateN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_neutral_6184912bd8e5b438\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\ja-JP\Licenses\OEM\UltimateE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\HomePremiumE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\EnterpriseE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\winrm\040C\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\de-DE\Licenses\eval\HomePremiumN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netw5v64.inf_amd64_neutral_a6b778ba802632cc\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\IME\imekr8\dicts\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\spp\tokens\channels\OCUR\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_neutral_061c61abd3904560\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\ja-JP\Licenses\OEM\HomePremium\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\de-DE\Licenses\_Default\StarterN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\de-DE\Licenses\_Default\EnterpriseE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\Professional\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\EnterpriseN\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\WCN\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\migwiz\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\spool\drivers\x64\3\mui\0411\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000b\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\sysprep\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\ulaanbaatar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\m1033dsk.csd	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\an00790_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\j0299587.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\sydney	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\currie	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ois_k_col.hxk	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\apothecaryletter.dotx	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\yellowknife	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfxrt.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so00223_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\explode.wav	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\santo_domingo	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Google\Update\Download\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na02384_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_cn.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so00159_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\dadshirt.htm	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0185790.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na00433_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ois_col.hxc	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\gmt-9	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javafx.properties	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\novosibirsk	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\cp1257.txt	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\hh00526_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107344.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bd09194_.wmf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\invite.dpv	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\hammer.wav	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\atikokan	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_en-us_770e5d0d8236c3e3\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wininit-mof_31bf3856ad364e35_6.1.7600.16385_none_dab7329caadd1b06\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.1.7601.17514_none_346d5ccdd640c664\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f02737c83305687a68c088927a6c5a98\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lua-events_31bf3856ad364e35_6.1.7600.16385_none_f972da427061ad7d\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..orkbridge.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_da7d875d7cdbadac\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7ee6f65a4890452c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_prnca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_deda1dd628caac71\Amd64\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0000040c_31bf3856ad364e35_6.1.7600.16385_none_63b82740a408648a\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Printing.resources\3.0.0.0_ja_31bf3856ad364e35\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-classpnp_31bf3856ad364e35_6.1.7601.17514_none_73a9340ac2b15f83\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-nyala_31bf3856ad364e35_6.1.7600.16385_none_11cc5af51bce7775\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..g-printticket-win32_31bf3856ad364e35_6.1.7601.17514_none_7180ae1eb5ce8062\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..mework-msctfmonitor_31bf3856ad364e35_6.1.7600.16385_none_e1310860626a47c0\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.1.7600.16385_en-us_be3a8032ad0468c2\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.h..r.media-driverclass_31bf3856ad364e35_6.1.7600.16385_none_f6a491aca769f33d\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..r-wow64-c.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a6293bfc947c38b6\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Diagnostics\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_ja_b77a5c561934e089\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ience-common-logger_31bf3856ad364e35_6.1.7600.16385_none_c9643ae2e72c5455\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tion_service_iassam_31bf3856ad364e35_6.1.7600.16385_none_d7a455396d6b4a2d\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\7111bf18edb7bf9d986782131f797acb\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b7d82b94f046f3\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_srpuxnativesnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_db8afb8d87bbab53\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..alization.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eaf7391d31d716b1\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.1.7600.16385_none_77bb8934c5837c8b\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcplayerinterop\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_hpoa1so.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_693571c6bf1b4671\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0d9eaf338e48b7ba\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-wasw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_218fdc47c352aaef\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_de-de_7ba77acb59b8270b\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_3a2a6a811d2b5065\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..tings-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c2860b4bd838590\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_prngt004.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dda72e86020ad6ee\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6ff74c436d7bbee2\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa33ed2575ba914c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_filter_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_a9d77998142ec36c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_mdmsonyu.inf_31bf3856ad364e35_6.1.7600.16385_none_50730731913a42a2\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-devicecenter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_585d2a750d1f79b8\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dde37d0503aa8003\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vssadmin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b039d8914a98caf0\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-system.data.entity_31bf3856ad364e35_6.1.7601.17514_none_913a3c3df2332df4\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_21f72c556adb6572\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_mdmbr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7c16063e1779e206\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-shgloss.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2cd280231ceb6492\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins.resources_31bf3856ad364e35_6.1.7600.16385_en-us_159345c6da1672e1\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_7.1.7601.16492_none_9ec29e48fab6a73c\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bf45d11d71d42eef\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-driverquery.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9f6b6db5169aeca7\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_a20056db9d9602b9\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c89a83791977ffb6\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_beb1ea48766179a4\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dhcpserverapi_31bf3856ad364e35_6.1.7600.16385_none_0470f747fc8c0721\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directwrite-fontcache_31bf3856ad364e35_6.1.7601.17514_none_62d013bb27eebf5d\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\msil_mmcfxcommon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f56e7e8fbf484ed1\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\msil_system.web.services.resources_b03f5f7f11d50a3a_6.1.7600.16385_de-de_adac521f6154526f\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..ocess-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a8f3f70ef3c58505\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a2b039113f0c5bf\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-safemodc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d8249e1eba516eb0\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-migrate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0448fd145bf6c9a7\JZCKHXIN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Kills process with WMI 9 IoCs

evasion

pid	Process
476	WMIC.exe
1860	WMIC.exe
948	WMIC.exe
860	WMIC.exe
1504	WMIC.exe
824	WMIC.exe
1804	WMIC.exe
1976	WMIC.exe
1628	WMIC.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2020	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	860	WMIC.exe
Token: SeSecurityPrivilege	860	WMIC.exe
Token: SeTakeOwnershipPrivilege	860	WMIC.exe
Token: SeLoadDriverPrivilege	860	WMIC.exe
Token: SeSystemProfilePrivilege	860	WMIC.exe
Token: SeSystemtimePrivilege	860	WMIC.exe
Token: SeProfSingleProcessPrivilege	860	WMIC.exe
Token: SeIncBasePriorityPrivilege	860	WMIC.exe
Token: SeCreatePagefilePrivilege	860	WMIC.exe
Token: SeBackupPrivilege	860	WMIC.exe
Token: SeRestorePrivilege	860	WMIC.exe
Token: SeShutdownPrivilege	860	WMIC.exe
Token: SeDebugPrivilege	860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	860	WMIC.exe
Token: SeRemoteShutdownPrivilege	860	WMIC.exe
Token: SeUndockPrivilege	860	WMIC.exe
Token: SeManageVolumePrivilege	860	WMIC.exe
Token: 33	860	WMIC.exe
Token: 34	860	WMIC.exe
Token: 35	860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	860	WMIC.exe
Token: SeSecurityPrivilege	860	WMIC.exe
Token: SeTakeOwnershipPrivilege	860	WMIC.exe
Token: SeLoadDriverPrivilege	860	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1356	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	28
PID 1364 wrote to memory of 1356	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	28
PID 1364 wrote to memory of 1356	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	28
PID 1356 wrote to memory of 948	1356	cmd.exe	29
PID 1356 wrote to memory of 948	1356	cmd.exe	29
PID 1356 wrote to memory of 948	1356	cmd.exe	29
PID 1364 wrote to memory of 1760	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	31
PID 1364 wrote to memory of 1760	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	31
PID 1364 wrote to memory of 1760	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	31
PID 1760 wrote to memory of 860	1760	cmd.exe	32
PID 1760 wrote to memory of 860	1760	cmd.exe	32
PID 1760 wrote to memory of 860	1760	cmd.exe	32
PID 1364 wrote to memory of 528	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	33
PID 1364 wrote to memory of 528	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	33
PID 1364 wrote to memory of 528	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	33
PID 528 wrote to memory of 476	528	cmd.exe	34
PID 528 wrote to memory of 476	528	cmd.exe	34
PID 528 wrote to memory of 476	528	cmd.exe	34
PID 1364 wrote to memory of 576	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	35
PID 1364 wrote to memory of 576	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	35
PID 1364 wrote to memory of 576	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	35
PID 576 wrote to memory of 1504	576	cmd.exe	36
PID 576 wrote to memory of 1504	576	cmd.exe	36
PID 576 wrote to memory of 1504	576	cmd.exe	36
PID 1364 wrote to memory of 1640	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	37
PID 1364 wrote to memory of 1640	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	37
PID 1364 wrote to memory of 1640	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	37
PID 1640 wrote to memory of 1860	1640	cmd.exe	38
PID 1640 wrote to memory of 1860	1640	cmd.exe	38
PID 1640 wrote to memory of 1860	1640	cmd.exe	38
PID 1364 wrote to memory of 1552	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	39
PID 1364 wrote to memory of 1552	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	39
PID 1364 wrote to memory of 1552	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	39
PID 1552 wrote to memory of 824	1552	cmd.exe	40
PID 1552 wrote to memory of 824	1552	cmd.exe	40
PID 1552 wrote to memory of 824	1552	cmd.exe	40
PID 1364 wrote to memory of 1960	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	41
PID 1364 wrote to memory of 1960	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	41
PID 1364 wrote to memory of 1960	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	41
PID 1960 wrote to memory of 1804	1960	cmd.exe	42
PID 1960 wrote to memory of 1804	1960	cmd.exe	42
PID 1960 wrote to memory of 1804	1960	cmd.exe	42
PID 1364 wrote to memory of 1900	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	43
PID 1364 wrote to memory of 1900	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	43
PID 1364 wrote to memory of 1900	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	43
PID 1900 wrote to memory of 1976	1900	cmd.exe	44
PID 1900 wrote to memory of 1976	1900	cmd.exe	44
PID 1900 wrote to memory of 1976	1900	cmd.exe	44
PID 1364 wrote to memory of 992	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	45
PID 1364 wrote to memory of 992	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	45
PID 1364 wrote to memory of 992	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	45
PID 992 wrote to memory of 1628	992	cmd.exe	46
PID 992 wrote to memory of 1628	992	cmd.exe	46
PID 992 wrote to memory of 1628	992	cmd.exe	46
PID 1364 wrote to memory of 1508	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	51
PID 1364 wrote to memory of 1508	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	51
PID 1364 wrote to memory of 1508	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	51
PID 1364 wrote to memory of 1684	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	52
PID 1364 wrote to memory of 1684	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	52
PID 1364 wrote to memory of 1684	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	52
PID 1364 wrote to memory of 1560	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	53
PID 1364 wrote to memory of 1560	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	53
PID 1364 wrote to memory of 1560	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	53
PID 1364 wrote to memory of 1016	1364	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	54

C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
"C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%virtualbox%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vbox%'" call terminate
    3⤵
    - Kills process with WMI
    PID:476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%mysqld%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%omtsreco%'" call terminate
    3⤵
    - Kills process with WMI
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%oracle%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%tnslsnr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1628
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1508
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1684
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1560
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1016
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:792
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:436
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe" && exit
  2⤵
  - Deletes itself
  PID:1164
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-80-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download